Bad things happen in threes, but also good things, too. Think about The Supremes, or your standard fairy-tale wish quota, or that trio of star trilogies with the hero and his asthmatic father. (The last one works either way.) And, of course, think IT governance, risk management, and compliance, which you might sometimes read as GRC.
These three policies are the faith, hope, and charity of the cybersecurity world. That’s because when you’ve got the set – and got them down good in an overarching GRC framework – they’ll bless you with the kind of cybersecurity that makes angels and shareholders weep happy tears.
So here’s our unasked-for-yet-hopefully-useful Guide to IT Governance, Risk Management, and Compliance.
IT Governance, Risk Management, and Compliance. What’s It All About?
So glad you asked. It’s complicated. Let’s start with some quick introductions because who doesn’t like introductions?
IT Governance: Still Not IT Management
IT governance is a framework for directing how an organization uses IT. Its purpose is to ensure that IT is aligned with, and optimized for, business goals. It’s a piece of the corporate governance pie. IT governance directs/instructs/guides the whole IT ecosystem, including:
- Mitigating cybersecurity risk
- Improving IT investment decisions
- Maintaining the quality and reliability of information systems
- Complying with regulatory and legal stuff
- Improving organizational culture
- Guiding IT strategy and operations
- Being accountable for IT overall
An IT governance framework can be home-grown but you can also find off-the-shelf IT governance frameworks like COBIT, because why reinvent the dongle?
Note: IT governance is not IT management, and it’s not IT strategy, but you need all three to have a fully grown-up IT ecosystem.
Risk Management: Adventures In Fear
Risk sounds, well, risky. And it is. Risk is the potential for bad things to happen to a business via threats and vulnerabilities. Here’s a scary example:
A Scary Example
| Threat | Nasty-but-clever hackers love to infiltrate software loopholes for nefarious purposes. |
| Vulnerability | You have no way of forcing your beloved team members to update their dang software. |
| Risk | Congratulations! You are now the parent of a bouncing baby denial-of-service attack, your system’s down, and you’ve lost $4,534,534.45 in customer orders. |
Risk management is what you do to manage risks (duh), which you’ll do by:
- Identifying and assessing the threats and vulnerabilities
(i.e., hacker, useless team) - Quantifying, scoring, and prioritizing the risks
(e.g., one hour downtime = $45,045,459,845.09 in lost sales) - Taking action to minimize the risks
(e.g., enforce updates using the joys of MDM)
Compliance: Sounds A Bit George Orwell, But It’s Actually Quite A Good Thing
Compliance sounds like a dirty word to us freedom-loving Americans, but we need to get over ourselves and bask in the goodness that compliance brings, i.e., IT systems that don’t suck and more opportunities to worship capitalism by raking in big-dollar contracts that you only get by having compliance credibility.
In IT, compliance means sticking to the rules, regulations, best practices, and organizational policies that are designed to protect data.
There are lots of different compliance frameworks. (yep, frameworks again). Some are required by law, depending on the industry you’re in (e.g., HIPAA) or the type of data you handle (e.g., PCI-DSS).
Some, like SOC 2, are entirely voluntary but often expected. Some are created by industry regulatory bodies or interest groups, like the beautiful behemoth that is ISO 27001, created by the International Standards Organization, which love love loves standards. Some are created by corporations to make sure that if they give you business, you’re not going to screw them with your laughable cybersecurity. And, hey, maybe even your own CIO gave metaphorical (bureaucratic) birth to your very own in-house compliance standards. Ain’t you the lucky one?
Overall, most compliance frameworks are created to protect the confidentiality and integrity of data in a consistent way by applying or recommending security controls and processes.
So, How Do These All Fit Together?
IT governance, risk management, and compliance fit together in the manner of today’s shoddy metaphor:
Today’s Shoddy Metaphor
Imagine you’re at the Kennedy Center in Washington, D.C., ready for a high-octane dose of the classics, like maybe some bangin’ Beethoven – because, let’s face it, Mozart can get a bit twee.
Conductor Marin Alsop steps out. She’s IT governance. She’s the boss. She (like IT governance) directs everything.
Under her baton is risk management, in the form of the National Symphony Orchestra. They do what IT governance directs them to do. There are lots of peeps involved, and they all have a vital part to play, even the wee triangle player at the back.
Compliance is like the songsheet, libretto, or whatever is sitting on Alsop’s music stand. Alsop and all the orchestra members are working together from the same framework. Alsop might interpret the music in her own way, but she won’t actually change the tune. In a similar fashion, IT governance may adapt a compliance framework but will essentially follow it.
TL: DR – IT governance directs risk management using the compliance framework, which puts the compliance framework into real life. Did that work? Nope, not really. But you get it.
Enough Of Shoddy Metaphors. How Do I Make Sure I’m Doing GRC Right?
Here’s the bottom line: you’re looking for a flavor of GRC to infuse your IT ecosystem with robust cybersecurity practices and processes that minimize the risk of data breach, improve business performance, and, heck, maybe even extend your capabilities. (Psst, wanna hire from anywhere but safely?)
Still not sure where to start? Try this:
- Identify your business objectives. When you know where you’re going, you can create a GRC framework that can help you get there.
- Identify the IT that’ll help you achieve your objectives. We’re not talking hardware – we’re talking about the whole IT ecosystem and organizational culture.
- Define your IT governance framework based on what you want to achieve. Perhaps this involves compliance with a particular cybersecurity framework, and creating an IT strategy to ensure it incorporates risk management.
And what do you do in the afternoon? Nope, we’re joking, obvs. This is major IT change management in practice.
We’re Friends With GRC, So Let Us Help You
IT governance, risk management, and compliance are all integrated, and the good news is that you can often kill two, three, or ten burritos with one donut. Wherever you’re starting from, you’re probably already doing a whole ton of things right, and we can assess this for you. Whether you just need a few tweaks or you’re just starting out on your GRC adventure, give us a call. We’ll help you knock out some of those burritos. (We’ll even bring the donuts!)
Ignition is Silicon Valley’s best (and friendliest) IT security, compliance, and support team. Contact us now – chatting about IT support and cybersecurity is our favorite thing to do!